CVE-2024-28182

MEDIUM EPSS 99.7%
Published Apr 4, 20242y ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Apr 4, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
99.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-770

Affected Products 6

VendorProductVersionRange
nghttp2nghttp2* <1.61.0
debiandebian_linux10.0any
debiandebian_linux11.0any
fedoraprojectfedora38any
fedoraprojectfedora39any
fedoraprojectfedora40any

References 10

  • openwall.com http://www.openwall.com/lists/oss-security/2024/04/03/16
    Mailing ListThird Party Advisory
  • github.com https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
    Patch
  • github.com https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
    Patch
  • github.com https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
    Vendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
    Mailing List
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
    Mailing ListThird Party Advisory
  • kb.cert.org https://www.kb.cert.org/vuls/id/421644

Remediation

  • github.com https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
    Patch
  • github.com https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
    Patch